One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 5664956 |
| Date de publication | 2022-07-11 22:59:00 (vue: 2022-07-11 23:06:41) |
| Titre | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
| Notes | |
| Envoyé | Oui |
| Condensat | /etc/ld /patient 0798 187a 2007 2010 2013 2016 2018 2021 2022 aa22 abused access achieves activity actor actors adding additional adds advanced advised aes affected after agencies ajax akhlut alert all allows almond also america analyst anomali anomalous another anti applications approach apps apt apt29 apts arabia are argentina around artifacts associated att&ck att&ck: attached attack attacker attackers attacks attempts attributed attribution automation available avoid avoids aware backdoor backups bangladesh bangladeshi based bear been being below: besides best binary bisonal bitter boat both brc4 brutal: brute builder built but cactuspete campaign can capabilities chacha20 chain channel charts check china chinese cipher client cloud code combination command comment: company compromise compromised confidence connection connections consider consideration consistent constants contained containing continue continues controlled corruption countries country:bd country:cn country:in country:kp country:pk country:ru country:us cozy credential credentials curve curve25519 cve cyber cyberespionage danger data days december decrypted defeated defenders defense defensive definitive deobfuscate/decode dependencies deploying depth describe described designed desktop destruction detect detected detection detection:orbit developers devices diagnostics diffie directory discovered discovery discuss discussed dll document does doesn’t doing domains downloader downstream dropping dubbed due during earlier earth ecdh editor educated electronic elliptic email embedded employee employees encrypt encrypted encryption engineer ensure equation establishes eventually ever excel executable executables execution exfiltrate exfiltration exploitation exploits exposing extensive fail fall fast february figure file files filters firewalls five floats flow focus following form forms found framework from fully function functions furthermore gets glimpse government grabs group groups guarantee handled hardening harder harvesting has have health healthcare hellmann hide hijack hijacking hive hooking hooks host hosting how hph hygiene iconburst iconbust identifiable identify imaging impact implement include included including increasingly india indian infection infiltrates information informed ingress inhibit initial instead intelligence interest internal interpreter intezer intranet introduces ioc iocs ionic iso iteration its itself javascript jquery july kernel known korea korean language large layer layering least legitimate library limits line linked linux lnk load loader locations logs magazine major make making maldocs malicious malspam malware manual masquerading maui may measures mechanisms medium memory mexico mfa microsoft military misspelled misspelling mitre mobile modules more mostly multiple muuydownloader name net network new news non north not npm obfuscated obfuscator object objects observed office offline old one only open orbit orbit: order organization organizations other output over packaged packaging pakistan parameters password patches patching path paying payload payment pentest pentesting persistence persistent personal phi phishing pii place poly1305 popular port pose poses possible posture potential preload prevention previously private processes programming protected provide providers providing public publication published: ransom ransoms ransomware rat ratel rdata recommendations records recovery red redundancy regarding region:north region:south regions related relatively remote requiring researchers responsible rest reverse reversinglabs revised: rewriting rewritten risks road royal rsa running runtime russia russian rust safe safely safety same sanctions saudi scripting search section sector secuinfra secure security seen segmentation self sensitive sentinellabs serialized server servers service services shared shortcut should show since size software solutions source south spearhishing spearphishing sponsored ssh staged stages standard start state statically stealthy stolen stop store stores stories storing |
| Tags | Ransomware Malware Tool Vulnerability Threat Patching |
| Stories | APT 29 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.